Public bug reported: When a port is created on a network with port security disabled, by default it should have port-security disabled too. But if using --no-security-group in the creation, than the port is created without security groups, but with port-security enabled.
openstack network show no-ps +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | defaultv3 | | created_at | 2019-02-11T07:58:34Z | | description | | | dns_domain | | | id | 58404ae1-650d-40c0-9ba9-9558f34fe81a | | ipv4_address_scope | None | | ipv6_address_scope | None | | is_default | None | | is_vlan_transparent | None | | location | None | | mtu | None | | name | no-ps | | port_security_enabled | False | | project_id | 8d4f3035db954f32b320475c1213657c | | provider:network_type | None | | provider:physical_network | None | | provider:segmentation_id | None | | qos_policy_id | None | | revision_number | 3 | | router:external | Internal | | segments | None | | shared | False | | status | ACTIVE | | subnets | 605cabbe-4064-4e66-8d3d-a5320abdfe2d | | tags | | | updated_at | 2019-02-11T07:58:39Z | +---------------------------+--------------------------------------+ openstack port create --network no-ps --no-security-group no-sg +-------------------------+-----------------------------------------------------------------------------------------------------------+ | Field | Value | +-------------------------+-----------------------------------------------------------------------------------------------------------+ | admin_state_up | UP | | allowed_address_pairs | | | binding_host_id | None | | binding_profile | | | binding_vif_details | nsx-logical-switch-id='ca492f0f-34c3-4b9a-947c-1c53d651140f', ovs_hybrid_plug='False', port_filter='True' | | binding_vif_type | ovs | | binding_vnic_type | normal | | created_at | 2019-02-11T08:55:50Z | | data_plane_status | None | | description | | | device_id | | | device_owner | | | dns_assignment | fqdn='host-66-0-0-16.openstacklocal.', hostname='host-66-0-0-16', ip_address='66.0.0.16' | | dns_domain | None | | dns_name | | | extra_dhcp_opts | | | fixed_ips | ip_address='66.0.0.16', subnet_id='605cabbe-4064-4e66-8d3d-a5320abdfe2d' | | id | 006a0952-469a-4de2-ac08-855155320582 | | location | None | | mac_address | fa:16:3e:be:fa:c2 | | name | no-sg | | network_id | 58404ae1-650d-40c0-9ba9-9558f34fe81a | | port_security_enabled | True | | project_id | 8d4f3035db954f32b320475c1213657c | | propagate_uplink_status | None | | qos_policy_id | None | | resource_request | None | | revision_number | 3 | | security_group_ids | | | status | ACTIVE | | tags | | | trunk_details | None | | updated_at | 2019-02-11T08:55:50Z | +-------------------------+-----------------------------------------------------------------------------------------------------------+ The problem is in _determine_port_security_and_has_ip when the code is checking validators.is_attr_set(port.get('security_groups')) instead of checking if it is not empty ** Affects: neutron Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1815424 Title: Port gets port security disabled if using --no-security-groups Status in neutron: New Bug description: When a port is created on a network with port security disabled, by default it should have port-security disabled too. But if using --no-security-group in the creation, than the port is created without security groups, but with port-security enabled. openstack network show no-ps +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | defaultv3 | | created_at | 2019-02-11T07:58:34Z | | description | | | dns_domain | | | id | 58404ae1-650d-40c0-9ba9-9558f34fe81a | | ipv4_address_scope | None | | ipv6_address_scope | None | | is_default | None | | is_vlan_transparent | None | | location | None | | mtu | None | | name | no-ps | | port_security_enabled | False | | project_id | 8d4f3035db954f32b320475c1213657c | | provider:network_type | None | | provider:physical_network | None | | provider:segmentation_id | None | | qos_policy_id | None | | revision_number | 3 | | router:external | Internal | | segments | None | | shared | False | | status | ACTIVE | | subnets | 605cabbe-4064-4e66-8d3d-a5320abdfe2d | | tags | | | updated_at | 2019-02-11T07:58:39Z | +---------------------------+--------------------------------------+ openstack port create --network no-ps --no-security-group no-sg +-------------------------+-----------------------------------------------------------------------------------------------------------+ | Field | Value | +-------------------------+-----------------------------------------------------------------------------------------------------------+ | admin_state_up | UP | | allowed_address_pairs | | | binding_host_id | None | | binding_profile | | | binding_vif_details | nsx-logical-switch-id='ca492f0f-34c3-4b9a-947c-1c53d651140f', ovs_hybrid_plug='False', port_filter='True' | | binding_vif_type | ovs | | binding_vnic_type | normal | | created_at | 2019-02-11T08:55:50Z | | data_plane_status | None | | description | | | device_id | | | device_owner | | | dns_assignment | fqdn='host-66-0-0-16.openstacklocal.', hostname='host-66-0-0-16', ip_address='66.0.0.16' | | dns_domain | None | | dns_name | | | extra_dhcp_opts | | | fixed_ips | ip_address='66.0.0.16', subnet_id='605cabbe-4064-4e66-8d3d-a5320abdfe2d' | | id | 006a0952-469a-4de2-ac08-855155320582 | | location | None | | mac_address | fa:16:3e:be:fa:c2 | | name | no-sg | | network_id | 58404ae1-650d-40c0-9ba9-9558f34fe81a | | port_security_enabled | True | | project_id | 8d4f3035db954f32b320475c1213657c | | propagate_uplink_status | None | | qos_policy_id | None | | resource_request | None | | revision_number | 3 | | security_group_ids | | | status | ACTIVE | | tags | | | trunk_details | None | | updated_at | 2019-02-11T08:55:50Z | +-------------------------+-----------------------------------------------------------------------------------------------------------+ The problem is in _determine_port_security_and_has_ip when the code is checking validators.is_attr_set(port.get('security_groups')) instead of checking if it is not empty To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1815424/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp